Question 1

A company has an application that runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The application is in an AWS account that has AWS CloudTrail enabled. The company restricts access to the application by adding the IP addresses of end users to a security group that is associated with the ALB.

The company is developing an AWS Lambda function to determine if the allowed IP addresses have accessed the application recently. If an allowed IP address has not accessed the application in the last 90 days, the Lambda function will remove the IP address from the security group.

The company needs to implement the functionality for the Lambda function to check the IP addresses.

Which combination of steps will provide this functionality MOST cost-effectively? (Select TWO.)

AFor the VPC that contains (he ALB, configure VPC flow logs to be sent to a log group in Amazon CloudWatch Logs.

BEnable access logging on the ALB. Create an Amazon Athena table to query the ALB access logs.

CProgram the Lambda function to check when each allowed IP address from the security group last appeared in the VPC flow logs.

DProgram the Lambda function to check when each allowed IP address from the security group last appeared in the ALB access logs

EProgram the Lambda function to check when each allowed IP address from the security group last appeared in the CloudTrail logs.

Answer : B, D

Question 2

A company has separate AWS accounts for each of its departments. The accounts are in OUs that are in an organization in AWS Organizations. The IT department manages a private certificate authority (CA) by using AWS Private Certificate Authority in its account.

The company needs a solution to allow developer teams in the other departmental accounts to access the private CA to issue certificates for their applications. The solution must maintain appropriate security boundaries between accounts.

Which solution will meet these requirements?

ACreate an AWS Lambda function in the IT account. Program the Lambda function to use theAWS Private CA API to export and import a private CA certificate to each department account. Use Amazon EventBridge to invoke the Lambda function on a schedule.

BCreate an 1AM identity-based policy that allows cross-account access to AWS Private CA. In the IT account, attach this policy to the private CA. Grant access to AWS Private CA by using the AWS Private CA API.

CIn the organization's management account, create an AWS CloudFormation stack to set up a resource-based delegation policy. Update the policy to allow the organizations: EnableAWSServiceAccess action. Add the ARN of the private CA from the IT account as the principal in the policy statement.

DUse AWS Resource Access Manager (AWS RAM) in the IT account to enable sharing in the organization. Create a resource share. Add the private CA resource to the resource share. Grant the department OUs access to the shared CA.

Answer : C

Question 3

A company hosts its primary API on AWS by using an Amazon API Gateway API and AWS Lambda functions that contain the logic tor the API methods. The company's internal applications use the API tor core functionality and business logic. The company's customers use the API to access data from their accounts. Several customers also have access to a legacy API that is running on a single standalone Amazon EC2 instance.

The company wants to increase the security for these APIs to better prevent denial of service (DoS) attacks, check for vulnerabilities, and guard against common exploits.

What should a solutions architect do to meet these requirements?

AUse AWS WAF to protect both APIs. Configure Amazon Inspector to analyze the legacy API. Configure Amazon GuardDuty to monitor (or malicious attempts to access the APIs.

BUse AWS WAF to protect the API Gateway API. Configure Amazon Inspector to analyze both APIs. Configure Amazon GuardDuty to block malicious attempts to access the APIs.

CUse AWS WAF to protect the API Gateway API. Configure Amazon Inspector to analyze the legacy API. Configure Amazon GuardDuty to monitor for malicious attempts to access the APIs.

DUse AWS WAF to protect the API Gateway API. Configure Amazon Inspector to protect the legacy API. Configure Amazon GuardDuty to block malicious attempts to access the APIs.

Answer : B

Question 4

A global ecommerce company has many data centers around the world. With the growth of its stored data, the company needs to set up a solution to provide scalable storage for legacy on-premises file applications. The company must be able to take point-in-time copies of volumes by using AWS Backup and must retain low-latency access to frequently accessed dat

a. The company also needs to have storage volumes that can be mounted as Internet Small Computer System Interface (iSCSI) devices from the company's on-premises application servers.

Which solution will meet these requirements?

AProvision an AWS Storage Gateway tape gateway. Configure the tape gateway to store data in an Amazon S3 bucket. Deploy AWS Backup to take point-in-time copies of the volumes.

BProvision an Amazon FSx File Gateway and an Amazon S3 File Gateway. Deploy AWS Backup to take point-in-time copies of the data.

CProvision an AWS Storage Gateway volume gateway in cache mode. Back up the on-premises Storage Gateway volumes with AWS Backup.

DProvision an AWS Storage Gateway file gateway in cache mode. Deploy AWS Backup to take point-in-time copies of the volumes.

Answer : C

Question 5

A company recently completed a successful proof of concept of Amazon Workspaces. A solutions architect needs to make the solution highly available across two AWS Regions. Amazon Workspaces is deployed in a failover Region, and a hosted zone is deployed in Amazon Route 53.

What should the solutions architect do to configure high availability for the solution?

ACreate a connection alias in the primary Region and in the failover Region. Associate the connection aliases with a directory in each Region. Create a Route 53 failover routing policy. Set Evaluate Target Health to Yes.

BCreate a connection alias in the primary Region and in the failover Region. Associate the connection aliases with a directory in the primary Region. Create a Route 53 multivalue answer routing policy.

CCreate a connection alias in the primary Region. Associate the connection alias with a directory in the primary Region. Create a Route 53 weighted routing policy.

DCreate a connection alias in the primary Region. Associate the connection alias with a directory in the failover Region. Create a Route 53 failover routing policy. Set Evaluate Target Health to Yes.

Answer : A

Free Practice Questions for Amazon SAP-C02 Exam

Question 1

Question 2

Question 3

Question 4

Question 5